Cloudtrail event notifications
Hello, we have configured configured Control Tower landing zone and enrolled tens of accounts in our organization.
We would like to monitor some of the actions (ConsoleLogin, SwitchRole, CreateUser, CreatePolicy, CreateRole, PutGroupPolicy, ...) across all accounts in organization and be notified when the action occurs via Slack or Pagerduty.
Is there any out of box solution or recommended approach?
I am considering two approaches:
Listen Cloudtrail S3 logs bucket Create an account which will have read only access to cloudtrail logs S3 bucket in Log Archive account. Lambda function will be triggered on new records in bucket. It will download the files from S3 and parse the events. Huge disadvantage is that it'll have to parse all cloudtrail entries which could be expensive and in inefficient.
Aggregate events using EventBridge buses Create dedicated account "Audit Notifications" where will be EventBridge event bus aggregating matched events from all other accounts. There will be configured event rule with Lambda target forwarding matched events from all accounts to Slack/Pagerduty/... in "Audit Notifications" account. Event rule forwarding matched events to Event Bus target in "Audit Notifications" will be deployed into each governed region in each member account. Similar as described in https://aws.amazon.com/premiumsupport/knowledge-center/root-user-account-eventbridge-rule/
I favor second approach, but maybe there are some other options. thanks
Hi, there's a probably a couple ways to achieve this, but here's a common pattern. With Control Tower, it sets up the centralized log bucket, but also configures a Cloudwatch Log Group in each account for local Cloudtrail logs. You can create Metric Filters on that Log Group for specific actions. For instance IAM policy changes or failed logins. Documentation here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CreateMetricFilterProcedure.html and https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html.
That log filter can send the alerts to the Control Tower created SNS topic aws-controltower-SecurityNotifications. This topic forwards the alerts via a Lambda function to a topic in the Audit account. Which then can have subscriptions to email, PagerDuty, etc. Bear in mind that central SNS topic may get a little noisy so it may be a case of creating new topics. You could also subscribe to the SNS topics in each account differently. That would provide some flexibility on who/what gets alerts from specific accounts.
On the deployment side, if you are using cloudformation, and create a template for the metric filters, then the Customizations for Control Tower solution https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/ or Organizations StackSets https://aws.amazon.com/blogs/aws/new-use-aws-cloudformation-stacksets-for-multiple-accounts-in-an-aws-organization/ can help you deploy the same template to many accounts quickly and easily. Managing the deployment and updates from a central location.
Hi Jimmy, thanks for the suggestions. I was considering to connect it to Cloudwatch Log Group created it each member account for Cloudtrail, however I am more interested in distinct events over metric alerts at the moment, so I would have to use subscription filter instead of metric filter on log group. But the subscription filter does not support SNS topic or Event Bus in same or different account.
That is why I chosen default Event bus filter on Cloudtrail events in member account and forward to Custom Event Bus which is in Audit Notifications account. Similar template https://gist.github.com/Halama/e5db7ab0cc7b2762ff7f9a28fa1eac84#file-cloudtrail-would be deployed into each member account using Organizations StackSets as you suggested (CT customizations are promising but at the moment seems to much complex).
Upgrade Path for Control Tower Python 3.6 Lambdas?asked a month ago
Issue building Control tower landing zone on a new account - AWS Control Tower setup failed. Be sure your account is subscribed to the AWS EC2 service, then try againAccepted Answerasked 4 months ago
AWS control tower notification forwarder and python 3.6 EOLAccepted Answerasked a month ago
Does AWS Control Tower have integrations with the AWS VPC IPAM service?asked 4 months ago
Cloudtrail event notificationsAccepted Answerasked 3 months ago
Two accounts are being shown as both enrolled in one view and not enrolled in another. Why?asked 2 months ago
Enabling AWS Configuration on Control Tower Main Accountasked 5 months ago
Using Cloud Trail Console to view all events in multi-account CloudTrail ( created via Organizations )Accepted Answerasked 17 days ago
AWS SSO - what OU/account to use?asked 4 days ago
Control Tower - Disable Compliance Change Notificationsasked a month ago